Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot cannot update to a non-vulnerable version #5927

Closed
1 task done
billinghamj opened this issue Oct 19, 2022 · 8 comments
Closed
1 task done

Dependabot cannot update to a non-vulnerable version #5927

billinghamj opened this issue Oct 19, 2022 · 8 comments
Labels
T: bug 🐞 Something isn't working

Comments

@billinghamj
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

npm

Package manager version

Yarn 3.2.0

Language version

No response

Manifest location and content before the Dependabot update

js/yarn.lock

Screenshot 2022-10-19 at 18 51 44

dependabot.yml content

version: 2

updates:
- package-ecosystem: npm
  directory: "/js"
  schedule:
    interval: daily
  ignore:
  # matched vaguely against Expo's dependency API
  # e.g. https://exp.host/--/api/v2/sdks/46.0.0/native-modules
  - dependency-name: "@react-native-async-storage/async-storage"
  - dependency-name: "@sentry/react-native"
  - dependency-name: "expo-*"
  - dependency-name: "lottie-react-native"
  - dependency-name: "react"
  - dependency-name: "react-dom"
  - dependency-name: "react-native"
  - dependency-name: "react-native-safe-area-context"
  - dependency-name: "react-native-screens"
  - dependency-name: "react-native-svg"
  - dependency-name: "react-native-web"
  - dependency-name: "react-native-webview"
  - dependency-name: "sentry-expo"

Updated dependency

@xmldom/xmldom is currently on 0.7.5

It should be updated to 0.7.6

What you expected to see, versus what you actually saw

Dependabot should have opened a PR updating @xmldom/xmldom to 0.7.6

Instead, it claims it's not able to, but there's nothing preventing this in the required resolutions

Screenshot 2022-10-19 at 18 55 04

Native package manager behavior

Running yarn up -R @xmldom/xmldom works great, no problem:

Screenshot 2022-10-19 at 18 56 44

Images of the diff or a link to the PR, issue, or logs

Private, but fine for GH staff to look at it:

updater | INFO <job_487160402> Checking if @xmldom/xmldom 0.7.5 needs updating
  proxy | 2022/10/19 17:44:38 [016] GET https://registry.npmjs.org:443/@xmldom%2Fxmldom
  proxy | 2022/10/19 17:44:38 [016] 200 https://registry.npmjs.org:443/@xmldom%2Fxmldom
  proxy | 2022/10/19 17:44:38 [018] GET https://registry.npmjs.org:443/@xmldom%2Fxmldom/0.8.3
  proxy | 2022/10/19 17:44:38 [018] 200 https://registry.npmjs.org:443/@xmldom%2Fxmldom/0.8.3
  proxy | 2022/10/19 17:44:41 [058] GET https://registry.yarnpkg.com:443/@xmldom%2fxmldom
  proxy | 2022/10/19 17:44:41 [058] 200 https://registry.yarnpkg.com:443/@xmldom%2fxmldom
  proxy | 2022/10/19 17:45:02 [046] GET https://registry.yarnpkg.com:443/@xmldom%2fxmldom
  proxy | 2022/10/19 17:45:02 [046] 200 https://registry.yarnpkg.com:443/@xmldom%2fxmldom
  proxy | 2022/10/19 17:45:16 [247] GET https://registry.npmjs.org:443/@xmldom%2Fxmldom/0.7.6
  proxy | 2022/10/19 17:45:16 [247] 200 https://registry.npmjs.org:443/@xmldom%2Fxmldom/0.7.6
updater | INFO <job_487160402> The latest possible version of @xmldom/xmldom that can be installed is 0.7.5

Smallest manifest that reproduces the issue

No response
@billinghamj billinghamj added the T: bug 🐞 Something isn't working label Oct 19, 2022
@billinghamj
Copy link
Author

Important note: the Yarn v2 flag is enabled for our repo ⚠️

@jurre Tagging you as requested 😊

@pavera
Copy link
Contributor

pavera commented Oct 19, 2022

I'll take a look at this @billinghamj. I'm actually setting up a test based on a similar issue from last week. Hopefully I can run it to ground quickly.

@pavera
Copy link
Contributor

pavera commented Oct 19, 2022

I'm able to successfully recreate this by including a private package that isn't available on registry.npmjs.org or registry.yarnpkg.com. Looking at the logs it appears this is the state your repo is in as well. I'm now investigating the exact cause of the failure.

@billinghamj
Copy link
Author

Nice, thank you!

Yeah we have several packages within our monorepo/Yarn workspace

@pavera
Copy link
Contributor

pavera commented Oct 20, 2022

I've got a fix #5930 I'm getting ready to deploy. It still requires that any private registries be correctly configured or the update will fail, but previously even with correct configuration the update would fail.

@pavera
Copy link
Contributor

pavera commented Oct 20, 2022

@billinghamj I've deployed the above fix now, could you give it another try and see what the result is?

@billinghamj
Copy link
Author

@pavera Sorry, we manually updated yesterday as it was a security alert

@pavera
Copy link
Contributor

pavera commented Oct 20, 2022

In that case, I'll go ahead and close this, feel free to re-open it if another security alert comes up and we fail to provide a PR.

@pavera pavera closed this as completed Oct 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pavera @billinghamj